Skip to content
This repository was archived by the owner on Aug 31, 2018. It is now read-only.

Commit 9fcd60c

Browse files
MylesBorinsaddaleax
MylesBorins
authored and
addaleax
committed
2017-10-24, Version 4.8.5 'Argon' (Maintenance)
This is a security release. All Node.js users should consult the security release summary at: https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ for details on patched vulnerabilities. Notable Changes: * zlib: - CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialized with windowBits set to 8. On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. Node.js will now gracefully set windowBits to 9 replicating the legacy behavior to avoid a DOS vector. nodejs-private/node-private#95 PR-URL: nodejs-private/node-private#96
1 parent ebb7e76 commit 9fcd60c

File tree

2 files changed

+17
-1
lines changed

2 files changed

+17
-1
lines changed

CHANGELOG.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,8 @@ release.
9393
<a href="doc/changelogs/CHANGELOG_V6.md#6.0.0">6.0.0</a><br/>
9494
</td>
9595
<td valign="top">
96-
<b><a href="doc/changelogs/CHANGELOG_V4.md#4.8.4">4.8.4</a></b><br/>
96+
<b><a href="doc/changelogs/CHANGELOG_V4.md#4.8.5">4.8.5</a></b><br/>
97+
<a href="doc/changelogs/CHANGELOG_V4.md#4.8.4">4.8.4</a><br/>
9798
<a href="doc/changelogs/CHANGELOG_V4.md#4.8.3">4.8.3</a><br/>
9899
<a href="doc/changelogs/CHANGELOG_V4.md#4.8.2">4.8.2</a><br/>
99100
<a href="doc/changelogs/CHANGELOG_V4.md#4.8.1">4.8.1</a><br/>

doc/changelogs/CHANGELOG_V4.md

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77
</tr>
88
<tr>
99
<td valign="top">
10+
<a href="#4.8.5">4.8.5</a><br/>
1011
<a href="#4.8.4">4.8.4</a><br/>
1112
<a href="#4.8.3">4.8.3</a><br/>
1213
<a href="#4.8.2">4.8.2</a><br/>
@@ -63,6 +64,20 @@
6364
[Node.js Long Term Support Plan](https://github.com/nodejs/LTS) and
6465
will be supported actively until April 2017 and maintained until April 2018.
6566

67+
<a id="4.8.5"></a>
68+
## 2017-10-24, Version 4.8.5 'Argon' (Maintenance), @MylesBorins
69+
70+
This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ for details on patched vulnerabilities.
71+
72+
### Notable Changes
73+
74+
* **zlib**:
75+
- CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialized with windowBits set to 8. On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. Node.js will now gracefully set windowBits to 9 replicating the legacy behavior to avoid a DOS vector. [nodejs-private/node-private#95](https://github.com/nodejs-private/node-private/pull/95)
76+
77+
### Commits
78+
79+
* [[`f5defa2a7c`](https://github.com/nodejs/node/commit/733578bb2e)] - **zlib**: gracefully set windowBits from 8 to 9 (Myles Borins) [nodejs-private/node-private#95](https://github.com/nodejs-private/node-private/pull/95)
80+
6681
<a id="4.8.4"></a>
6782
## 2017-07-11, Version 4.8.4 'Argon' (Maintenance), @MylesBorins
6883

0 commit comments

Comments
 (0)